Smitfraud
Variants including
PestCapture, WinAntivirus Pro 2007,
and other similar Malware Removal Instructions and Help

How
Did My
Computer Become Infected with a SmitFraud variant?

If your computer has
become infected with one of these "spyware removal programs",you probably
downloaded an infected codec program when you tried to watch a video
online or you may have been hit by a "drive-by" installation of
Smitfraud.

SmitFraud attacks show fake antispyware programs popups on your screen
and/or a balloon popup from the windows system tray displaying a
warning message that your computer is infected with spyware and telling
you to purchase, download & install their program to remove it.

The creator of each popup is an affiliate of the particular antispyware
program they are promoting, so each time an unsuspecting user purchases
the advertised program in hopes of removing the trojan the person
behind the attack gets paid.

Not a very ethical way of selling an antispyware, antivirus, or other
computer pest removal product.

In many of
the infected computers I've dealt with, programs like "Video Access
ActiveX Object" show up in the Control Panel and are the
initial infection that start the whole issue. Most of these programs
when scanned with an up-to-date virus scanner are shown to be infected
with viruses likeTroj.Zlob.AN,
which was part of the original SpyAxe trojan attack a couple years ago.
These attacks have spawned over 100 different varieties of malware
issues. Many times the home page is redirected to a fake "online
security center" or a user will receive a popup that looks almost
identical to the normal Windows Security Center but isn't. You can see
a couple of these fake alerts by clicking on the images below.

The popups and warnings are smokescreens and fake alerts to scare
visitors into buying a spyware removal tool that may not even remove
the trojan that caused the warnings in the first place.

As I stated above, many of these infections were
installed by a fake codec like "Video
Access ActiveX Object" that installed into the Program Files directory
in Windows.

These files
like pmmnt.exe and pmsnrr.exe install and attach themselves to the
Windows Explorer shell so they are always resident and recreate
themselves if you try to delete them in a normal windows mode. They
hide in a registry key similar to

HijackThis will
show various problem files, a typical Hijackthis log
infected with this issue will look similar to this: The problematic
lines are in bold. You'll notice this infected system was running Trend
Micro PC-Cillian Security Suite 2007 at the time of the infection, so
these downloads and infections may even fool antivirus and antispyware
tools.

2) Open the
SmitRem folder and double-click on RunThis.bat to start the SmitRem
removal procedure. Besides removing particular files that it looks for,
the tool also runs the Disk Cleanup tool to remove temporary files on
the hard drive that may contain problem files. For a Tutorial on using SmitRem click
here

4) Double-click on MalwareBytes, install it, update it, and run it to remove misc rogue application files installed with SmitFraud

5) While
still in Safe Mode, run CCleaner. Analyze and Clean files it finds,
then click on the Issues button on the left side of the screen and Scan
and Fix any Registry issues CCleaner discovers. Run both the Registry
Scanner and the File Analyzer until nothing else is found.

6)
Run Hijackthis
and Remove any leftover issues. If you are not sure, if a line in
Hijackthis is a problem, reboot in normal mode and use the Online HiJackthis Scanner
to see if the file is a threat. Just copy and paste your Hijackthis log file
into the scanner and let it analyze it for you. Although its not
perfect, it will give you an idea if your system is clean or still
needs some work. Do not delete anything with Hijackthis unless you are
absolutely sure what the file is and what it does.

For
items in the Hijackthis log like the following, that will not delete
manually, use KillBox
to browse to the location of the file and delete it or delete it on
reboot. Items that are impossible to remove unless using Killbox
usually show up in the 20 section of Hijackthis.

8)
Scan your computer with online virus scanner like Housecall,
BitDefender, or eTrust or download and install an antivirus program and
run a complete scan. A list of online scanners is below, some however
will only scan but not remove issues.